Add field matching rules to your lookup configuration

These attributes provide field matching rules for lookups. They can be applied to all three lookup types. Add them to the transforms.conf stanza for your lookup.

Attribute

Type

Description

Default

max_matches

Integer

The maximum number of possible matches for each value input to the lookup table from your events. Range is 1-1000. If the time_field attribute is is not specified, Splunk software uses the first <integer> entries, in file order. If the time_field attribute is specified (because it is a time-bounded lookup), Splunk software uses the first <integer> entries, in descending time order. In other words, up to <max_matches> are allowed to match. When this number is surpassed, Splunk software uses the matches closest to the lookup value.

100 if the time_field attribute is not specified. 1 if the time_field attribute is specified.

min_matches

Integer

The minimum number of possible matches for each value input to the lookup table from your events. You can use default_match to help with situations where there are fewer than min_matches for any given input.

0 for both non-time-bounded lookups and time-bounded lookups, which means nothing is output to your event if no match is found.

default_match

String

When min_matches is greater than 0 and and Splunk software finds fewer than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.

Allows non-exact matching of one or more fields arranged in a list delimited by a comma followed by a space. Format is match_type = <match_type>(<field_name1>, <field_name2>,...<field_nameN>). Set match_type to WILDCARD to apply wildcard matching, or set it to CIDR to apply CIDR matching (specifically for IP address values).

Comments

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »